All resources
Security5 min read

Test apps behind a login or private network

The local agent runs inside your network and connects outbound only, so a one-time pairing lets you crawl and test apps behind a login, including multi-role journeys, without opening a door in.

Plenty of what needs testing is not sitting on the public internet. A staging environment lives inside a private network, an internal tool sits behind the company VPN, an app is reachable only after a real login with a real role. Cloud runners cannot reach those on their own, and opening a hole in your network to let them in is not an answer. The local agent solves it a different way: it runs inside your network and reaches out, so nothing has to reach in.

Local agent · your network
Pairedone-time token
Outbound only
no inbound ports, no public exposure
Runs inside your network
on a machine that already reaches the app
staging.internal
reached behind your login
Multi-role journey
Admin Standard usereach sees the right thing
The local agent runs inside your network and reaches out, never in.

Outbound only, so nothing opens a door into your network

The agent is a small program you run on a machine that can already see the app you want to test, a laptop, a build server, a box inside the VPN. It makes an outbound connection to AxonQA and waits for work. There are no inbound ports to open, no firewall exceptions, and no public exposure of anything private. The app under test never leaves your network, and the agent only ever talks outward, the same direction your browser already does.

One-time pairing, then it just works

Setup is a one-time pairing, not a standing credential to manage. You download the agent, pair it to your project once with a token, and from then on it shows up as an available place to run. When you or Axon, your AI assistant, start a run that targets your private app, the work is handed to the paired agent automatically, executed locally, and the results, screenshots, and video come back to AxonQA like any other run.

  • Runs on a machine that already reaches the app, so no new network path is required.
  • Outbound-only connection, with no inbound ports and no public exposure.
  • One-time token pairing, revocable whenever you choose.
  • Full artifacts come back: verdicts, step timeline, screenshots, and video.

Crawl and test behind the login, across roles

Because the agent runs where the app is reachable, everything that works on public apps works here too. App discovery can crawl the private product, following its flows and mapping its pages so generation is grounded in the real thing rather than guesses. And because real apps behave differently for different people, the agent can drive multi-role journeys: sign in as an admin for one path and a standard user for another, and test that each role sees what it should and is blocked from what it should not.

The private app stays private

Keeping the work local is also what keeps it safe. The application you are testing is only ever reached from inside your own network, by a machine you already trust with it. AxonQA orchestrates the run and stores the results, but the traffic to your private app stays on your side of the boundary. You get cloud-grade tooling, reporting, and assistance over an app the cloud can never see directly.

Login walls and private networks are the usual reason real testing gets skipped, because the tooling could not reach the app. The local agent removes that excuse without weakening your security posture: outbound only, paired once, running where the app already lives. Point it at the environment behind the login, and everything else, discovery, generation, cross-role runs, and reporting, works exactly as it does in the open.

See these practices inside AxonQA

Generate structured test cases from your stories, then validate them with real runs on your own app.